Re: How to hook the system call?
On Mon, Nov 28, 2011 at 02:12:37AM +0100, richard -rw- weinberger wrote: Please keep in mind that hooking a system call is very bad and error prone. Sure. -- Jonathan Neuschäfer ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to hook the system call?
On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote: Hello everyone, I am going to hook a system call like 'read' or 'send' by modifying the sys_call_table, but it seems that the sys_call_table is in read only page, how can I set modify the sys_call_table ? Or if there any method that I can use to hook a system call in module without modify the kernel source? There's a kernel module for advanced rickrolling that overwrites the open entry in the syscall table: https://github.com/fpletz/kernelroll It does some trickery to make the page writable first. HTH, Jonathan Neuschäfer ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to hook the system call?
On Sun, Nov 27, 2011 at 11:17 PM, Jonathan Neuschäfer j.neuschae...@gmx.net wrote: On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote: Hello everyone, I am going to hook a system call like 'read' or 'send' by modifying the sys_call_table, but it seems that the sys_call_table is in read only page, how can I set modify the sys_call_table ? Or if there any method that I can use to hook a system call in module without modify the kernel source? Please keep in mind that hooking a system call is very bad and error prone. -- Thanks, //richard ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to hook the system call?
Thanks for advice ! I am using the LSM framework even though it need recompiling the kernel. But I will also give a try to the kernelroll module. Modifying sys_call_table is easier to get error but it can get more freedom than LSM framework which could only hook on limit hooking points. On Mon, Nov 28, 2011 at 9:12 AM, richard -rw- weinberger richard.weinber...@gmail.com wrote: On Sun, Nov 27, 2011 at 11:17 PM, Jonathan Neuschäfer j.neuschae...@gmx.net wrote: On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote: Hello everyone, I am going to hook a system call like 'read' or 'send' by modifying the sys_call_table, but it seems that the sys_call_table is in read only page, how can I set modify the sys_call_table ? Or if there any method that I can use to hook a system call in module without modify the kernel source? Please keep in mind that hooking a system call is very bad and error prone. -- Thanks, //richard -- Geraint Yang Tsinghua University Department of Computer Science and Technology ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
How to hook the system call?
Hello everyone, I am going to hook a system call like 'read' or 'send' by modifying the sys_call_table, but it seems that the sys_call_table is in read only page, how can I set modify the sys_call_table ? Or if there any method that I can use to hook a system call in module without modify the kernel source? Thanks! -- Geraint Yang Tsinghua University Department of Computer Science and Technology ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to hook the system call?
On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang geraint0...@gmail.com wrote: Hello everyone, I am going to hook a system call like 'read' or 'send' by modifying the sys_call_table, but it seems that the sys_call_table is in read only page, how can I set modify the sys_call_table ? Or if there any method that I can use to hook a system call in module without modify the kernel source? Thanks! On a 2.6.35 kernel, it worked for me just by changing an entry in the sys_call_table, within a kernel module. Something like this: spin_lock(sys_call_table_lock); old_sys_calls[sys_call] = sys_call_table[sys_call]; sys_call_table[sys_call] = interceptor; is_intercepted[sys_call] = 1; spin_unlock(sys_call_table_lock); asmlinkage long interceptor(struct syscall_params sp) { long sys_call=sp.eax, r=0; r = old_sys_calls[sys_call](sp); do_stuff(); return r; } -- Alexandru Juncu ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to hook the system call?
On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu alex.ju...@rosedu.org wrote: On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang geraint0...@gmail.com wrote: Hello everyone, I am going to hook a system call like 'read' or 'send' by modifying the sys_call_table, but it seems that the sys_call_table is in read only page, how can I set modify the sys_call_table ? Or if there any method that I can use to hook a system call in module without modify the kernel source? Thanks! On a 2.6.35 kernel, it worked for me just by changing an entry in the sys_call_table, within a kernel module. Something like this: Alex, I am pretty sure that you are using a hacked version of 2.6.35. Geraint, In order to be able to hook a syscall you must do the following: 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c extern void* sys_call_table[]; EXPORT_SYMBOL(sys_call_table); 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S you must have: .section .data,a #include syscall_table_32.S thanks, Daniel. ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to hook the system call?
On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta daniel.bal...@gmail.com wrote: On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu alex.ju...@rosedu.org wrote: On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang geraint0...@gmail.com wrote: Hello everyone, I am going to hook a system call like 'read' or 'send' by modifying the sys_call_table, but it seems that the sys_call_table is in read only page, how can I set modify the sys_call_table ? Or if there any method that I can use to hook a system call in module without modify the kernel source? Thanks! On a 2.6.35 kernel, it worked for me just by changing an entry in the sys_call_table, within a kernel module. Something like this: Alex, I am pretty sure that you are using a hacked version of 2.6.35. Geraint, In order to be able to hook a syscall you must do the following: 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c extern void* sys_call_table[]; EXPORT_SYMBOL(sys_call_table); 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S you must have: .section .data,a #include syscall_table_32.S thanks, Daniel. Ah, Daniel is right... I forgot about that part... ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to hook the system call?
On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu alex.ju...@rosedu.orgwrote: On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta daniel.bal...@gmail.com wrote: On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu alex.ju...@rosedu.org wrote: On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang geraint0...@gmail.com wrote: Hello everyone, I am going to hook a system call like 'read' or 'send' by modifying the sys_call_table, but it seems that the sys_call_table is in read only page, how can I set modify the sys_call_table ? Or if there any method that I can use to hook a system call in module without modify the kernel source? Thanks! On a 2.6.35 kernel, it worked for me just by changing an entry in the sys_call_table, within a kernel module. Something like this: Alex, I am pretty sure that you are using a hacked version of 2.6.35. Geraint, In order to be able to hook a syscall you must do the following: 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c extern void* sys_call_table[]; EXPORT_SYMBOL(sys_call_table); 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S you must have: .section .data,a #include syscall_table_32.S thanks, Daniel. Ah, Daniel is right... I forgot about that part... ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies You can get the address of the sys_call_table from the /proc/kallsyms and regarding the read-only section of the this symbol you can re-map the addresses by making use of vmap api in kernel. This will avoid the need for the compilation of the kernel. But I would not recommend you to do this. Their is LSM framework specifically available for this try to see if you can make use of that. Regards, Rohan Puri ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to hook the system call?
Hi, Thank all of you for helping me with problem! I don't want to modify my kernel source so I am trying to learn to use LSM security hook even though it seems that it couldn't hook all the system calls, I think it should be enough for me. Thanks again! On Wed, Nov 23, 2011 at 8:02 PM, rohan puri rohan.pur...@gmail.com wrote: On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu alex.ju...@rosedu.orgwrote: On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta daniel.bal...@gmail.com wrote: On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu alex.ju...@rosedu.org wrote: On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang geraint0...@gmail.com wrote: Hello everyone, I am going to hook a system call like 'read' or 'send' by modifying the sys_call_table, but it seems that the sys_call_table is in read only page, how can I set modify the sys_call_table ? Or if there any method that I can use to hook a system call in module without modify the kernel source? Thanks! On a 2.6.35 kernel, it worked for me just by changing an entry in the sys_call_table, within a kernel module. Something like this: Alex, I am pretty sure that you are using a hacked version of 2.6.35. Geraint, In order to be able to hook a syscall you must do the following: 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c extern void* sys_call_table[]; EXPORT_SYMBOL(sys_call_table); 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S you must have: .section .data,a #include syscall_table_32.S thanks, Daniel. Ah, Daniel is right... I forgot about that part... ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies You can get the address of the sys_call_table from the /proc/kallsyms and regarding the read-only section of the this symbol you can re-map the addresses by making use of vmap api in kernel. This will avoid the need for the compilation of the kernel. But I would not recommend you to do this. Their is LSM framework specifically available for this try to see if you can make use of that. Regards, Rohan Puri -- Geraint Yang Tsinghua University Department of Computer Science and Technology ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to hook the system call?
On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang geraint0...@gmail.com wrote: Hi, Thank all of you for helping me with problem! I don't want to modify my kernel source so I am trying to learn to use LSM security hook even though it seems that it couldn't hook all the system calls, I think it should be enough for me. Thanks again! I know that AppArmor can hock syscalls like read, write and memory mapping and can deny or accept them. I am not sure if you can make it do something else when hocked, but I know it has a script-like configuration, so maybe you can take some other actions. ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to hook the system call?
Hi, I have tried the LSM framework,but when I make my module , I got waining:'register_security' undefined, then I check security/security.c and found out that register_security is not exported ! So if I want to use this function ,I must hack kernel by exporting and recompiling kernel which is allowed for me. So ...well, it seems that LSM doesn't work for module without modifying the kernel source. On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu alex.ju...@rosedu.orgwrote: On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang geraint0...@gmail.com wrote: Hi, Thank all of you for helping me with problem! I don't want to modify my kernel source so I am trying to learn to use LSM security hook even though it seems that it couldn't hook all the system calls, I think it should be enough for me. Thanks again! I know that AppArmor can hock syscalls like read, write and memory mapping and can deny or accept them. I am not sure if you can make it do something else when hocked, but I know it has a script-like configuration, so maybe you can take some other actions. -- Geraint Yang Tsinghua University Department of Computer Science and Technology ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to hook the system call?
On Wed, Nov 23, 2011 at 6:05 PM, Geraint Yang geraint0...@gmail.com wrote: Hi, I have tried the LSM framework,but when I make my module , I got waining:'register_security' undefined, then I check security/security.c and found out that register_security is not exported ! So if I want to use this function ,I must hack kernel by exporting and recompiling kernel which is allowed for me. So ...well, it seems that LSM doesn't work for module without modifying the kernel source. On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu alex.ju...@rosedu.org wrote: On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang geraint0...@gmail.com wrote: Hi, Thank all of you for helping me with problem! I don't want to modify my kernel source so I am trying to learn to use LSM security hook even though it seems that it couldn't hook all the system calls, I think it should be enough for me. Thanks again! I know that AppArmor can hock syscalls like read, write and memory mapping and can deny or accept them. I am not sure if you can make it do something else when hocked, but I know it has a script-like configuration, so maybe you can take some other actions. If you can hook the system calls, you could try KProbes, is a dynamic instrumentation, that is used in Linux Kernel. You could use a JProbe to capture the function parameters of the instrumented function. If you have KProbes in your kernel, you can create a module to instrument the syscall that you want. Maybe it can be a starting point for you ... Other projects that use KProbes are DProbes and SystemTap, you can also give it a look. -- Geraint Yang Tsinghua University Department of Computer Science and Technology ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies -- Nuno Martins ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to hook the system call?
On Wed, Nov 23, 2011 at 11:35 PM, Geraint Yang geraint0...@gmail.comwrote: Hi, I have tried the LSM framework,but when I make my module , I got waining:'register_security' undefined, then I check security/security.c and found out that register_security is not exported ! So if I want to use this function ,I must hack kernel by exporting and recompiling kernel which is allowed for me. So ...well, it seems that LSM doesn't work for module without modifying the kernel source. This function is declared as extern in header linux/security.h, you can include this header in your code and call this function. On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu alex.ju...@rosedu.orgwrote: On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang geraint0...@gmail.com wrote: Hi, Thank all of you for helping me with problem! I don't want to modify my kernel source so I am trying to learn to use LSM security hook even though it seems that it couldn't hook all the system calls, I think it should be enough for me. Thanks again! I know that AppArmor can hock syscalls like read, write and memory mapping and can deny or accept them. I am not sure if you can make it do something else when hocked, but I know it has a script-like configuration, so maybe you can take some other actions. -- Geraint Yang Tsinghua University Department of Computer Science and Technology Regards, Rohan Puri ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies